As a next generation threat represented by an advanced persistent threat (APT) arises, a conventional security protection approach faces challenges. Once attacked by the APT, a core trade secret of a company may be leaked, resulting in incalculable losses for the company. Industries related to national economies and people's livelihoods, such as the financial industry, the energy industry, and the transportation industry, may be paralyzed. The effect thereof can be as severe as an effect of a war.
In 2010, Google (Google Incorporation) was attacked by a next generation threat of Aurora. As a result, a large quantity of Gmail (a free network email service of Google) emails were leaked, severely affecting the Google brand. In 2010, nuclear facilities of Iran were attacked by Stuxnet, causing a severe damage to a centrifuge, which is a core component of the nuclear facilities. A consequence of this attack can be as severe as a precision bombing. In 2011, RSA was attacked by a next generation threat for SecureID. Consequently, a large quantity of SecureID data was leaked, and security of customers using SecureID was severely affected. Doubts about security of RSA severely affected the public image of RSA. In March 2013, the banking industry of the Republic of Korea was attacked by an orientated APT. Consequently, many bank host systems broke down, severely affecting the image of banks in customers' mind. How to cope with the next generation threat represented by the APT in the future and how to cope with a future possible network war are significant problems faced by people.
In an existing user network, anti-virus software is usually installed on a terminal device, and a sandbox is deployed in front of a gateway or in front of an email server. The anti-virus software installed on the terminal device detects malicious software mainly using a latest feature library provided by a software vendor. The sandbox is deployed in front of the gateway or the email server, mainly to detect an APT from the Internet.
Sandboxes are generally capable of detecting the APT from the Internet. However, while sandboxes may be able to monitor that an internal network is being attacked by the APT, sandboxes may not be able to detect whether a user terminal on the internal network is infected with the APT, and may not be able to identify user terminals of the internal network that are infected with the APT. For example, a sandbox may detect that an internal network to which the sandbox belongs is being attacked by an APT, and the APT attack was sent to user terminals by using an email. Some user terminals are infected with the APT because they have opened the email including an APT attachment, and some user terminals are not infected with the APT because they have not opened the email. For another example, a sandbox detects that an internal network to which the sandbox belongs is being attacked by an APT, and the APT attack is implemented using a vulnerability of a particular version of application software. Some user terminals use this version of the application software, and therefore are being attacked by the APT. Some user terminals use a later version, which has no corresponding vulnerability, of the application software, and therefore the user terminals are not being attacked by the APT.
As such, although an attack by the APT on an internal network can be detected using an existing sandbox, whether a user terminal is infected with the APT, and identifying specific user terminals infected with the APT, cannot be determined. Therefore, no targeted operation can be used.